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0 fi) 0 Introduction 


0.1 HN 0.1 General 
À E i be EY Bh AE BE EE. SETHE. JE TE, À This International Standard has been prepared to provide a model for 



























































WPS BRA. AESPURI CHES a AE HKA | establishing, implementing, operating, monitoring, reviewing, maintaining and 








CISMS ) [KARA HEA ISMS AZ | improving an Information Security Management System (ISMS). The adoption 





HR YE. ZAZA ISMS [Wit AMEN | of an ISMS should be a strategic decision for an organization. The design and 
KORA At. ZAR, MARIEK 4 
ARK. ZERIT AIT À objectives, security requirements, the processes employed and the size and 
SEE ASI MHAR. A AR 
RE ET FS ISMS HSE, An, fi 
Pp FI fai LU ISMS fT in accordance with the needs of the organization, e.g. a simple situation 
ZS El bbe DU AR, PATES | requires a simple ISMS solution. 


PE This International Standard can be used in order to assess conformance by 























implementation of an organization’s ISMS is influenced by their needs and 





























24 | structure of the organization. These and their supporting systems are expected 




















HJ | to change over time. It is expected that an ISMS implementation will be scaled 












































interested internal and external parties. 


0.2 FE x 0.2 Process approach 
AS TE Br RE SU REED EEL K | This International Standard adopts a process approach for establishing, 




















We. SE, USPS. Dr, Aes E724, | implementing, operating, monitoring, reviewing, maintaining and improving an 


ZA ISMS MARCHE o organization's ISMS. 
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EZRA VA Gl A E BE & HR oh HELA An organization needs to identify and manage many activities in order to functior 




















MIST. WA A AAAS, Ji A 4 | effectively. Any activity using resources and managed in order to enable the 











AME és), ALU AEA. | transformation of inputs into outputs can be considered to be a process. Often 
































iy, MEE LE EL Bee ake T FN | the output from one process directly forms the input to the next process. 

FERRA o 

AR ARKAA, EENE | the identification and interactions of these processes, and their management, 
H, 








The application of a system of processes within an organization, together with 




















































































































HIFI AVE FH SHE, a DARK ZIK “IE | can be referred to as a “process approach”. 
TAR y The process approach for information security management presented in this 
TEAS PPE, (aE REDY | International Standard encourages its users to emphasize the importance of: 
ay AP oval. RAY ere: a) understanding an organization’s information security requirements and the 
a) TRAZAR AZARAE AZ | need to establish policy and objectives for information security; 
TRKA HERIK; b) implementing and operating controls to manage an organization's 


























b) EARRA ARER F, t | information security risks in the context of the organization’s overall business 
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SE BIE EP BZ ZX UE À | risks; 
TERK; c) monitoring and reviewing the performance and effectiveness of the ISMS; 
c) HAPS AIDE ISMS SAAT AT XE; and 
d FEF AUN ee AN PE HE o d) continual improvement based on objective measurement. 
AS Fl br ESR SHAI-SE-R A-M” | This International Standard adopts the "Plan-Do-Check-Act" (PDCA) model, 
































(PDCA) FAI ERA ART ISMS fe. AA 1 | which is applied to structure all ISMS processes. Figure 1 illustrates how an 





Hz ISMS AT TA ART fig KA ÈS GOK: | ISMS takes as input the information security requirements and expectations of 


E=} 




















FU, ZA EA Ab, EWE RKA | the interested parties and through the necessary actions and processes 


HA NU MER ZE, B1 HSE | produces information security outcomes that meets those requirements and 
































in 








4, 5, 6, 7, 8 FAK. expectations. Figure 1 also illustrates the links in the processes presented in 
RH PDCA BEALE OECD (fa ik ABCA | Clauses 4, 5, 6, 7 and 8. 
MRZE) (2002) HA AY EWU, f The adoption of the PDCA model will also reflect the principles as set out in the 
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OECD Guidelines (2002)1) governing the security of information systems and 
networks. This International Standard provides a robust model for implementing 
the principles in those guidelines governing risk assessment, security design 
and implementation, security management and reassessment. 

EXAMPLE 1 

A requirement might be that breaches of information security will not cause 
serious financial damage to an organization and/or cause embarrassment to 
the organization. 

EXAMPLE 2 

An expectation might be that if a serious incident occurs — perhaps hacking of 
an organization’s eBusiness web site — there should be people with sufficient 
training in appropriate procedures to minimize the impact. 

0.3 Compatibility with other management systems 
This International Standard is aligned with ISO 9001:2000 and ISO 
14001:2004 in order to support consistent and integrated implementation and 
operation with related management standards. One suitably designed 
management system can thus satisfy the requirements of all these standards. 
Table C.1 illustrates the relationship between the clauses of this International 
Standard, ISO 9001:2000 and ISO 14001:2004. 

This International Standard is designed to enable an organization to align or 


integrate its ISMS with related management system requirements. 
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Figure 1 — PDCA model applied to ISMS processes 





© ISO/IEC 2005 — All rights reserved 


4 ISO/IEC 27001:2005(E) 


HAY 
its [AAA 


(> 


r 
SX bé Alizs 
Do fy ISMS 


Hi PF A ee 


č ISMS 


WHF ISMS FEN PDCA fest 








Plan(establish the ISMS) Establish ISMS policy, objectives, processes and procedures relevant 
to managing risk and improving information security to deliver results 
in accordance with an organization’s overall policies and objectives. 

Do(implement and operate Implement and operate the ISMS policy, controls, processes and 

the ISMS) procedures. 

Check(monitor and review Assess and, where applicable, measure process performance against 

the ISMS) ISMS policy, objectives and practical experience and report the results 
to management for review. 

Act(maintain and improve Take corrective and preventive actions, based on the results of the 

the ISMS) internal ISMS audit and management review or other relevant 
information, to achieve continual improvement of the ISMS. 
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1.1 General 
This International Standard covers all types of organizations (e.g. commercial 
enterprises, government agencies, non-profit organizations). This 
International Standard specifies the requirements for establishing, 
implementing, operating, monitoring, reviewing, maintaining and improving a 
documented ISMS within the context of the organization’s overall business 
risks. It specifies requirements for the implementation of security controls 
customized to the needs of individual organizations or parts thereof. 

The ISMS is designed to ensure the selection of adequate and proportionate 
security controls that protect information assets and give confidence to 
interested parties. 

NOTE 1: References to ‘business’ in this International Standard should be 
interpreted broadly to mean those activities that are core to the purposes for 
the organization’s existence. 

NOTE 2: ISO/IEC 17799 provides implementation guidance that can be used 
when designing controls. 

1.2 Application 

The requirements set out in this International Standard are generic and are 
intended to be applicable to all organizations, regardless of type, size and 
nature. Excluding any of the requirements specified in Clauses 4, 5, 6, 7, 
and 8 is not acceptable when an organization claims conformity to this 
International Standard. 

Any exclusion of controls found to be necessary to satisfy the risk 
acceptance criteria needs to be justified and evidence needs to be provided 
that the associated risks have been accepted by accountable persons. 
Where any controls are excluded, claims of conformity to this International 
Standard are not acceptable unless such exclusions do not affect the 
organization’s ability, and/or responsibility, to provide information security 
that meets the security requirements determined by risk assessment and 
applicable legal or regulatory requirements. 

NOTE: If an organization already has an operative business process 
management system (e.g. in relation with ISO 9001 or ISO 14001), it is 
preferable in most cases to satisfy the requirements of this International 


Standard within this existing management system. 
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2 Normative references 
The following referenced documents are indispensable for the application 


of this document. For dated references, only the edition cited applies. For 
undated references, the latest edition of the referenced document 
(including any amendments) applies. 

ISO/IEC 17799:2005, Information technology — Security techniques — 


Code of practice for information security management 
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3 Terms and definitions 
For the purposes of this document, the following terms and definitions apply. 


3.1 asset 

anything that has value to the organization. 

[ISO/IEC 13335-1:2004] 

3.2 availability 

the property of being accessible and usable upon demand by an authorized entity. 
[ISO/IEC 13335-1:2004] 

3.3 confidentiality 

the property that information is not made available or disclosed to unauthorized individuals, 
entities, or processes. 

[ISO/IEC 13335-1:2004] 

3.4 information security 

preservation of confidentiality, integrity and availability of information; in addition, other 
properties such as authenticity, accountability, non-repudiation and reliability can also be 
involved. 

[ISO/IEC 17799:2005] 

3.5 information security event 

an identified occurrence of a system, service or network state indicating a possible breach 
of information security policy or failure of safeguards, or a previously unknown situation that 
may be security relevant. 

[ISO/IEC TR 18044:2004] 

3.6 information security incident 

a single or a series of unwanted or unexpected information security events that have a 
significant probability of compromising business operations and threatening information 
security. 

[ISO/IEC TR 18044:2004] 


3.7 information security management system ISMS 

that part of the overall management system, based on a business risk approach, to 
establish, implement, operate, monitor, review, maintain and improve information security. 
NOTE: The management system includes organizational structure, policies, planning 
activities, responsibilities, practices, procedures, processes and resources. 

3.8 integrity 

the property of safeguarding the accuracy and completeness of assets. 

[ISO/IEC 13335-1:2004] 

3.9 residual risk 

the risk remaining after risk treatment. 

[ISO/IEC Guide 73:2002] 

3.10 risk acceptance 

decision to accept a risk. 

[ISO/IEC Guide 73:2002] 


3.11 risk analysis 
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systematic use of information to identify sources and to estimate the risk. 
[ISO/IEC Guide 73:2002] 


3.12 risk assessment 

overall process of risk analysis and risk evaluation. 

[ISO/IEC Guide 73:2002] 

3.13 risk evaluation 

process of comparing the estimated risk against given risk criteria to determine the 
significance of the risk. 

[ISO/IEC Guide 73:2002] 

3.14 risk management 

coordinated activities to direct and control an organization with regard to risk. 
[ISO/IEC Guide 73:2002] 


3.15 risk treatment 

process of selection and implementation of measures to modify risk. 

[ISO/IEC Guide 73:2002] 

NOTE: In this International Standard the term ‘control’ is used as a synonym for ‘measure’. 
3.16 statement of applicability 

documented statement describing the control objectives and controls that are relevant and 
applicable to the organization’s ISMS. 

NOTE: Control objectives and controls are based on the results and conclusions of the risk 
assessment and risk treatment processes, legal or regulatory requirements, contractual 


obligations and the organization’s business requirements for information security. 
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4.2 #7 Al FEE ISMS 

4.2.1 Æ ISMS 

ZAZA: 

a) ARGS APE. AN, AE, A 
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{5 RAE KA; 
4) EIT ee rates [I 4. 2. 1c] 
5) Zee UHM 
TE: AYRE RER A, fe ee PH KAA 
REVIZE KAALER, AER TY JE 
ASSCPE HP HR o 













































































































































































































































































c) ENARA: 
1) RANEH F ISMS MARMITE AAS 
TEE AEH BE AS UE PEA TIE: 
2) HR PES DURS HI HE AUR a AY Be US 
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4 Information security management systems 

4.1 General requirements 

The organization shall establish, implement, operate, monitor, review, maintain and 
improve a documented ISMS within the context of the organization’s overall 
business activities and risk it faces. For the purposes of this international standard 


the process used is based on the PDCA model shown in Figure 1. 


4.2 Establishing and managing the ISMS 

4.2.1 Establish the ISMS 

The organization shall do the follow. 

a) Define the scope and boundaries of the ISMS in terms of the characteristics 
of the business, the organization, its location, assets and technology, and 
including details of and justification for any exclusions from the 
scope(see1.2). 

b) Define an ISMS policy in terms of the characteristics of the business, the 
organization, its location, assets and technology that: 

1) Includes a framework for setting objectives and establishes an overall sense 
of direction and principles for action with regard to information security; 

2) Takes into account business and legal or regulatory requirements, and 
contractual security obligations; 

3) Aligns with organization’s strategic risk management context in which the 
establishment and maintenance of the ISMS will take place; 

4) Establishes criteria against which risk will be evaluated [see 4.2.1c];and 

5) Has been approved by management. 

NOTE: For the purposes of this International Standard, the ISMS policy is 

considered as a superset of the information security policy. These policies can be 

described in one document. 

c) Define the risk assessment approach of the organization 

1) Identify a risk assessment methodology that is suited to the ISMS, and the 
identified business information security, legal and regulatory requirements. 
2) Develop criteria for accepting the risks and identify the acceptable levels of 


risk[see5.1f]]. 


The risk assessment methodology selected shall ensure that risk assessments 
produce comparable and reproducible results. 
NOTE: There are different methodologies for risk assessment. Examples of risk 
assessment methodologies are discussed in ISO/IEC TR 13335-3, Information 
technology- Guidelines for the management of IT Security-Techniques for the 
management of IT security. 
d) Identify the risks 

1) Identify the assets within the scope of the ISMS, and the owners’) of these 

assets. 
2) Identify the threats to those assets. 


3) Identify the vulnerabilities that might be exploited by the threats. 
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Aloe 4) Identify the impacts that losses of confidentiality, integrity and availability 
3) AiG ‘FEA’? EXT NAME AA may have on the assets. 
HUE OF, Fa ve ee Pe th m, FFA. |) The term ‘owner’ identifies an individual or entity that has approved management 
DE, fi FRE Pee. Ri SEAT | responsibility for controlling the production, development, maintenance, use and 
KN? JPN BUS CREDA Mtr. security of the assets. The term ‘owner’ does not mean that the person actually has 
any property rights to the asset. 
e) Ay TANABE e) Analysis and evaluate the risks 

D FERARI ERNA, SBE 1) Assess the business impacts upon the organization that might result from a 
APE REPRE. SEREA ET FIVE HU security failure, taking into account the consequences of a loss of 
HER confidentiality, integrity or availability of the assets. 

2) PRA BE A ESE ESS RATES 2) Assess the realistic likelihood of security failure occurring in the light of 
VA Re LZ SK bé ZEBE, PPG prevailing threats and vulnerabilities and impacts associated with these 
ERIRE ISSUE AY RE PE ; assets, and the controls currently implemented. 

3) Th UREA 3) Estimate the levels of risks 

4) WAE 4. 2. lo) PERMEN, BET 4) Determine whether the risk are acceptable or requires treatment using the 
PURE AY BC, KE EH; criteria for accepting risks established in 4.2.1c). 

f) RAPEN AE E ee ETH f) Identify and evaluate options for the treatment of risks. 
AY ac Fa Ti: Possible actions include: 

D ME 4 EME: 1) Applying appropriate controls; 

2) LE HA DS ZAR RAR A AE DU y 2) Knowingly and objectively accepting risks, providing they clearly satisfy the 
HU Ge PF, Aa At A a ee Ue, Cul organization’s policies and the criteria for accepting risk[see 4.2.1]; 
4.2.1] 3) Avoiding risks; and 

3) FER: 4) Transferring the associated business risks to other parties, e.g. insures, 

4) HAAS Ure ATT, WM: PR BE ZS suppliers. 
rl, PERS; g) Select control objectives and controls for the treatment of risks 

eg) EE UIA A as El H RATE E The control objectives and controls shall be selected and implement to meet the 
TEPER TE H RARE, DO EU | requirement identified by risk assessment and risk treatment process. This 
PE Ate AUD Dx Ry Ach LE BES. VEPE DT YEDVAG NE | selection shall take account of the criteria for accepting risk (see 4.2.1c)2)) as well 
FY BEC (I 4. 2. 1c) 2)) Bh Ree. ERI 
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as legal, regulatory and contractual requirements. 

The control objectives and controls from Annex A shall be selected as part of this 
process as suitable to cover the identified requirements. 

NOTE: Annex A contains a comprehensives list of control objectives and controls 
that have been found to be commonly relevant in organizations. User of this 
international Standard are directed to Annex A as a starting point for control 
selection to ensure that no important control options are overlooked. 

h) 
i) 
i) 
A statement of Applicability shall be prepared that includes the following: 


1) 


Obtain management approval of the proposed residual risks 
Obtain management authorization to implement and operate the ISMS. 


Prepare a statement of applicability 


The control objectives and control selected in 4.2.1g) and the reasons for 
their selection; 

2) 
3) 


the control objectives and controls currently implemented (see 4.2.1e2)); and 
the exclusion of any controls objectives and controls in Annex A and the 


justification for their exclusion. 
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4.2.2 HANIA HE ISMS 

HRY: 
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e) SKARVUR R OU 5. 2.2]; 
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g) ‘BY A ARS AY LL 5.2]; 

h) SORT Be HAE Ae Ne BU E BTE NE, 
FEM Et [IL 4. 2. 3a]. 

4.2.3 YF AVE ISMS 
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NOTE: The Statement of Applicability provides a summary of decisions concerning 


risk treatment. Justifying exclusion provides a cross-check that no controls have 


been inadvertently omitted. 


4.2.2 Implement and operate the ISMS 


The organization shall do the following. 


a) 


Formulate a risk treatment plan that identifies the appropriate management 
action, resources, responsibilities and priorities for managing information 
security risks ( see 5). 

Implement the risk treatment plan in order to achieve the identified control 
objectives, which includes consideration of funding and allocation of roles and 
responsibilities. 

Implement controls selected in 4.2.1g) to meet the control objectives. 

Define how to measure the effectiveness of the selected controls or groups of 
controls and specify how these measurements are to be used to assess 
control effectiveness to produce comparable and reproducible results (see 
4.2.3c)). 


NOTE: Measuring the effectiveness of controls allows managers and staff to 


determine how well controls achieve planned control objectives. 


Implement training and awareness programmes(see 5.2.2). 

Manage operations of the ISMS. 

Manage resources for the ISMS(see 5.2). 

Implement procedures and other controls capable of enabling prompt 


detection of security events and response to security incidents. (see 4.2.3a)). 


4.2.3 Monitor and review the ISMS 


The organization shall do the following. 


a) 


Execute monitoring and reviewing procedures and other controls to: 
Promptly detect errors in the results of processing; 
promptly Identify failed and successful security breaches and incidents; 
Enable management to determine whether the security activities delegated 
to people or implemented by information technology are performing as 
expected; 
Help detect security events and thereby prevent security incidents by the 
use of indicators; and 
Determine whether the actions taken to resolve a breach of security were 
effective. 
Undertake regular reviews of the effectiveness of the ISMS(including meeting 
ISMS policy and objectives, and review of security controls) taking into 
account results of security audits, incidents, results from effectiveness 
measurements, suggestions and feedback from all interested parties. 


Measure the effectiveness of controls to verify that security requirements 
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11 ISO/IEC 27001:2005(E) 
RER; have been met. 

d) FHR EHER RU TE, FRAG FAI À d) Review risk assessment at planned intervals and review the residual risks 

PES UE ARE, HE FL: and identified acceptable levels of risks, taking into account changes to: 

1) “A; 1) The organization; 

2) HR; 2) Technology: 

3) WS HAUTE; 3) Business objectives and processes: 

4) Gina Bp: 4) Identified threat; 

5) BKH RARE: 5) Effectiveness of the implemented controls; and 

6) SRRA, W: E PELL SAT 6) External events, such as changes to the legal or regulatory 
BREE BI MARL; environment, changed contractual obligations, and changes in social 

e) ZETTAI EN THI Be AY SiH A PS ISMS AZ climate. 

MLA 6); e) Conduct internal ISMS audits at planned intervals(see 6). 

JE: ACHR, NÉ IEI, REHA | NOTE: Internal audits, sometimes called first party audits, are conducted by, or on 

ASA HS AB H PREF SE Ties behalf of, the organization itself for internal purposes. 

f) TEHABETT ISMS AE DURE ZE | f) Undertake a management review of the ISMS on a regular basis to ensure 
FRA AYIA FEY, RAI ISMS FEP AY that the scope remains adequate and improvements in the ISMS process are 
Bok ty ii; (ILAR 7. 1) identified(see 7.1). 

g) EZAR, SBIR AE BISA À g) Update security plans to take into account the findings of monitoring and 
Hh reviewing activities. 

h) ice) ISMS PA CPEB RE AES EE | h) Record actions and events that could have an impact on the effectiveness or 
AIT, [I 4.3.3] performance of the ISMS(see 4.3.3). 

4.2.4 SES AXE ISMS 4.2.4 Maintain and improve the ISMS 

HERVE WEFT : The organization shall regulatory do the following. 

a) KDE ISMS GRR A Ea Tia a) Implement the identified improvements in the ISMS. 

b) 32E 8.2 Al 8.3 KRAE Emm À b) Take appropriate corrective and preventive actions in accordance with 8.2 
ÍFa. DAA Mth A ZB PY 2 BY ZX and 8.3. Apply the lessons learnt from the security experiences of other 
FAR; organizations and those of the organization itself. 

c) SARA RAMAN BOE, VE INIE | ce) Communicate the actions and improvements to all interested parties with a 
ARE Soa, VER, NA level of detail appropriate to the circumstance and , as relevant, agree on how 
Gute eT ; to proceed.. 

d) PRET WIA SITU H be d) Ensure that the improvements achieve their intended objectives. 

4.3 SCP EEN 4.3 Documentation requirements 

4.3.1 AN 4.3.1 General 

SOCEM ALR Se AR Aide, MR p] LL | Documentation shall include records of management decisions, ensure that actions 

JB WH 2 HR AR A, Wid Se Se En | are traceable to management decisions and policies, and ensure that the recorded 

Hs, results are reproducible. 

TE BE ky JE BE GE BA PTE ES Hé 5 KLE | It is important to be able to demonstrate the relationship from the selected controls 

DE (i AU RA oy Ah A TASER, DUR | back to the results of the risk assessment and risk treatment process, and 

EWE BLAS LEI AL Eh subsequently back to the ISMS policy and objectives. 

ISMS SAVE: The ISMS documentation shall include : 

a) MKE EAT Pe I A ss a) | Document statements of the ISMS policy [see 4.2.1b] and objectives. 

b) ISMS 6H; [JL 4. 2. 1c] b) The scope of the ISMS [see 4.2.1c] 
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4.3.2 SCA 





Hl] ISMS SRI, NAT 
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FAURE, 


DUP SCPE ES FOP PE: 


c)  ISMS FASC RR PERE Be Pe hlte i 

d) AREYE ARR; CYL 4. 2. 1c] 

e) PRED: CU 4. 2. 1c] ITA. 2. 1g] 

f) MARATHE; [JL 4. 2. 2b] 

g) AAA R AE I ZETA BOR 
IB VE ALPE shill DA Se ARE U fr Et PE od e Dt 
AY A CPE Pr aig BEA FP Cs CN 
4. 2. 3c] 

h) APERAK: LU 4.3.3] 

i) HEH; 

if LAE AES BR FR oh E A SC ZE 

HY o 

WÈ 1: MA ER bE HN EREE”, X 

AREE, JUL, KHM EPA - 

VE 2: A RÉ ER Yi AS A E 

DEA, MH: 

-HAR H KRES ZR ; 

———— BE E E I R BEA 22 À AY R YY 3S PE A 

YU FBI ; 

TE 3: SOYA DE FE A I AB EE S 
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b) DETA CERET PE E, RARE; 

c) AR SCTE RI E KAATET RAS FS BU VAN 

d) AR EAE FD cb T RREH LARRA: 

e) MIR SCT RAAT. 2 TRA; 

E) A ae hs BE CA ET DORA SOC, ARE 
MEATS SEAT AE, FEA FI : 

B) ARID SCPE FS BA ls 

h) HR SCPE ABE SE PEN 5 

i) BIE PERS EE OAH ; 

5) E AVE AT R TT PR BA EBC PF, ce 
PEAT AE KAIERA; 





























RK. fe RÉ HU IMG 
E AMMA Tel oo EA 





4.3.3 CRE) 
DELI, DIRES BRAS KR 
ALPE BIS MY GE AF TIES 5 RATES 








REE TA RY 


Ko LR RRR 


c) procedures and controls in support of the ISMS 

d) A description of the risk assessment methodology(see 4.2.1c)); 

e) Risk assessment report [see 4.2.1c]] to 4.2.1g)]. 

f) Risk treatment plan [see 4.2.2b]. 

g) Documented procedures needed by the organization to ensure the effective 
planning, operation and control of its information security process and 
describe how to measure the effectiveness of controls(see 4.2.3c)). 

h) Records required by this International Standard(see 4.3.3). 

i) The Statement of Applicability. 


All documentation shall be made available as required by the ISMS policy. 

NOTE 1: where the term “documented procedure” appears within this International 
standard, this means that the procedure is established, documented, implemented 
and maintained. 

NOTE 2: the extent of the ISMS documentation can differ from one organization to 
another owing to: 

----the size of the organization and the type of its activities; and 

----the scope and complexity of the security requirements and the system being 
managed; 


NOTE 3:documents and records may be in any form or type of medium. 


4.3.2 Control of documents 
Documents required by the ISMS shall be protected and controlled. A documented 


procedure shall be established to define the management actions needed to: 


a) Approve documents for adequacy prior to issue; 

b) Review and update documents as necessary and re-approve documents; 

c) Ensure that changes and the current revision status of documents are 
identified; 

d) Ensure that relevant version of applicable documents are available at points 
of use; 

e) Ensure that documents remain legible and readily identifiable; 

f) Ensure that documents are available to those who need them, and are 
transferred, stored and ultimately disposed of in accordance with the 
procedures applicable to their classification; 

g) Ensure that documents of external origin are identified; 

h)  Ensure that the distribution of documents is controlled; 

i) Prevent the unintended use of obsolete documents; and 

j) Apply suitable identification to them if they are retained for any purpose. 

4.3.3 Control of records 


Records shall be established and maintained to provide evidence of conformity to 
requirements and the effective operation of the ISMS. They shall be protected and 
controlled. The ISMS shall take account of any relevant legal or regulatory 


requirements and contractual obligations. Records shall remain legible, readily 
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MARRA 4. 2 Si H IE REST ERKAMA SE 
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SERA lal 1a o 


identifiable and retrievable. The controls needed for the identification, storage, 


protection, retrieval, retention time and disposition of the records shall be 
documented and implemented. 

Records shall be kept of the performance of the process as outlined in 4.2 and of all 
occurrences of security incidents related to the ISMS. 

EXAMPLE 

Examples of records are a visitors book, audit records and completed access 


authorization forms. 
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E) HE NT FRSE ARE HEE UY FALL TA He US 2% 
g) Hi fre 2 TT re Cu 
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TAER 















































5 Management responsibility 
5.1 Management commitment 
Management shall provide evidence of its commitment to the establishment, 
implementation, operation, monitoring, review, maintenance and improvement of 
the ISMS by: 
a) Establishing an ISMS policy; 
) Ensuring that ISMS objectives and plans are established; 
c) Establishing roles and responsibilities for information security; 

) Communicating to the organization the importance of meeting information 
security objectives and conforming to the information security policy, its 
responsibilities under the law and the need for continual improvement; 

e) Providing sufficient resources to establish, implement, monitor, review, 
maintain and improve the ISMS(see 5.2.1); 

f) Deciding the criteria for accepting risk and the acceptable levels of risk; 

g) Ensuring that internal ISMS audits are conducted (see 6); and 


h) Conducting management reviews of the ISMS (see 7). 


5.2 Resource management 


5.2.1 Provision of resources 

The organization shall determine and provide the resources needed to: 

a) Establish, implement, operate, monitor, review, maintain and improve an 
ISMS; 

b) Ensure that information security procedures support the business 


requirements; 

c) Identify and address legal and regulatory requirements and contractual 
security obligations; 

d) Maintain adequate security by correct application of all implemented controls; 

e) Carry out reviews when necessary, and to react appropriately to the results of 
these reviews; and 

f) Where required , improve the effectiveness of the ISMS. 

5.2.2 Training, awareness and competency 

The organization shall ensure that all personnel who are assigned responsibilities 

defined in the ISMS are competent to perform the required tasks by: 

a) Determining the necessary competencies for personnel performing work 
effecting the ISMS; 
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b) Providing training or taking other actions(e.g. employing competent 
personnel) to satisfy these needs; 

c) Evaluating the effectiveness of the actions takes; and 

d) Maintaining records of education,, training , skills, experience and 


qualifications(see 4.3.3). 
The organization shall also ensure that all relevant personnel are aware of the 
relevance and importance of their information security activities and how they 


contribute to the achievement of the ISMS objectives. 
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6 Internal ISMS audits 

The organization shall conduct internal ISMS audits at planned intervals to 
determine whether the control objectives, controls, processes and procedures of its 
ISMS; 


a) Conform to the requirements of this international Standard and relevant 
legislation or regulations; 

b) | Conform to the identified information security requirements; 

c) Are effectively implemented and maintained; and 

d) Perform as expected. 


An audit programme shall be planned, taking into consideration the status and 
importance of the process and areas to be audited, as well as the results of 
previous audits. The audit criteria, scope, frequency and methods shall be defined. 
The selection of auditors and conduct of audits shall ensure objectivity and 


impartiality of the audit process. Auditors shall not audit their own work. 


The responsibilities and requirements for planning and conducting audits, and for 
reporting results and maintaining records(see 4.3.3) shall be defined in a 
documented procedure. 

The management responsible for the area being audited shall ensure that actions 
are taken without undue delay to eliminate detected nonconformities and their 
causes. Follow-up activities shall include the verification of the actions taken and 


the reporting of verification result (see 8). 


NOTE: 1S019011:2002, Guidelines for quality and/or environmental management 
systems auditing, may provide helpful guidance for carrying out the internal ISMS 


audits. 
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7 Management review of the ISMS 

7.1 General 

Management shall review the organization’s ISMS at planned intervals(at least 
once a year) to ensure its continuing suitability, adequacy and effectiveness. This 
review shall include assessing opportunities for improvement and the need for 
changes to the ISMS, including the information security policy and information 
security objectives. The results of the reviews shall be clearly documented and 


records shall be maintained(see 4.3.3). 
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7. 2a RA 7.2 Review input 
SSE AV FEL TD NE & : The input to a management review shall include: 
a) RATE RATE AE: 
b) HR ke tit; a) Result of ISMS audits and reviews; 
c) UHTA ae EEA ANY | b) Feedback from interested parties; 
BAT CHEER ARS PRE: c) Techniques, products or procedures, which could be used in the organization 
d) FRO AMA ETE SIL: to improve the ISMS performance and effectiveness; 
e) LVR RUPEE ACFE OP MAIS PEL a; | d) Status of preventive and corrective actions; 
f) Asc Wl AiR e) Vulnerabilities or threats not adequately addressed in the previous risk 
g8) EVR VEE TTA Ti REKE; assessments; 
h) (E A RE pe Re SRE RAR , f) Results from effectiveness measurements: 
i) BHEN; g)  Follow-up actions from previous management reviews; 
h) Any changes that could affect the ISMS;and 

7. 3 FE i) | Recommendations for improvement. 
E SL ee fa tH DV QE D FT A A EE ATR | 7.3 Review output 
ce AE He: The output from the management review shall include any decisions and actions 
a) fa AA BIA AE BY a related to the following. 
b) EI PUB DE ArH AT Px Bar LE BETTER; a) Improvement of the effectiveness of the ISMS. 
c) Pe my (sR REY AS GE, D | b) Update of the risk assessment and risk treatment plan. 
SEY, DIR Baa AEE fume ASE | c) Modification of procedures and controls that effect information security, as 
PARAMS, PELL PARE: necessary, to respond to internal or external events that may impact on the 

1) Mb BER; ISMS, including changes to: 

2) ABR; 1) Business requirements; 

3) SMALL ER 2) Security requirements; 

4) MBIA EE OR 3) Business processes effecting the existing business requirements; 

5) FX; 4) Regulatory or legal environment: 

6) PUS HIÉEZRAN / ol PUS HR E: 5) Contractual obligations; and 
d) BED TR 6) Levels of risk and /or criteria for accepting risks. 
e) KORM EFE HA A EIN sk; d) Resource needs. 

e) Improvement to how the effectiveness of controls is being measured. 

8 ISMS pct 8 ISMS improvement 
8.1 FEE AE 8.1 continual improvement 
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The organization shall continually improve the effectiveness of the ISMS 
through the use of the information security policy, information security 
objective, audit results, analysis of monitored events, corrective and 


preventive actions and management review(see 7). 


8.2 Corrective action 
The organization shall take action to eliminate the cause of nonconformities with the 
ISMS requirements in order to prevent recurrence. The documented procedures for 


corrective action shall define requirement for: 


a) Identifying nonconformities ; 
b) Determine the causes of nonconformities; 
c) Evaluating the need for action to ensure that nonconformities do no recur ; 
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d) Determining and implementing the corrective action needed; 

e) Recording results of action taken(see 4.3.3); and 

f) Review of corrective action taken. 

8.3 Preventive action 

The organization shall determine action to eliminate the cause of potential 
nonconformities in order to prevent their occurrence. Preventive actions taken shall 
be appropriate to the impact of the potential problems. The documented procedure 
for preventive action shall define requirements for: 


a) Identifying potential nonconformities and their causes; 


b) Evaluating the need for action to prevent occurrence of nonconformities; 
c) Determining and implementing preventive action needed; 
d) Recording results of action taken( see 4.3.3); and 

) 


Reviewing of preventive action taken; 

The organization shall Identify changed risks and identify preventive action 
requirements focusing attention on significantly changed risks. 

The priority of preventive actions shall be determined based on the results of the 
risk assessment. 

NOTE:Action to prevent nonconformities is often more cost-effective than corrective 


action. 
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Annex À (normative) 


Control objectives and controls 
The control objectives and controls listed in table A.1 are directly derived from and 


aligned with those listed in BS ISO/IEC 17799:2005 Clauses 5 to 15. The lists in 
tables A.1 are not exhaustive and an organization may consider that additional 
control objectives and controls are necessary. Control objectives and controls from 


these tables shall be selected as part of the ISMS process specified in 4.2.1. 


ISO/IEC 17799:2005 Clauses 5 to 15 provide implementation advice and guidance 


on best practice in support of the controls specified in A.5 to A.15. 
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A.5 Information security policy 
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FAG. VER, PEE HEN ASEF; 


A.5.1 Information security policy 
Objective: To provide management direction and support for information security in 


accordance with business requirements and relevant laws and regulations 
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A. 5. 1. 1 (AER A 


























A.5.1.1 Information security policy document 


Control 









































ER EMEA EP ARE LEE, [alt | An information security policy document shall be approved by management, and 
Tra CMK AVA A A AYA published and communicated to all employees and relevant external parties. 

A. 5. 1. 2 fa AERA PE A.5.1.2 Review of the information security policy 

Et Titi Control 

MEFR vt RI HO EY Td E E RE REEK REEI | The information security policy shall be reviewed at planned intervals or if significant 
PE SEHR CEE, MRE eEVE. tE | changes occur to ensure its continuing suitability, adequacy, and effectiveness. 
FE VERA RE; 

A6 FAZAH A.6 Organization of information security 

A.6.1 AAR A.6.1 Internal organization 

eet] tx: PEAR AREER; Objective: To manage information security within the organization. 
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A.6.1.1 Management commitment to information security 

Control 

Management shall actively support security within the organization through clear 
direction, demonstrated commitment, explicit assignment, and acknowledgment of 
information security responsibilities. 

A.6.1.2 Information security coordination 

Control 

Information security activities shall be co-ordinated by representatives from different 
parts of the organization with relevant roles and job functions. 

A.6.1.3 Allocation of information security responsibilities 

Control 

All information security responsibilities shall be clearly defined. 

A.6.1.4 Authorization process for information processing facilities 

Control 

A management authorization process for new information processing facilities shall 
be defined and implemented. 

A.6.1.5 Confidentiality agreements 

Control 

Requirements for confidentiality or non-disclosure agreements reflecting the 
organization’s needs for the protection of information shall be identified and 
regularly reviewed. 

A.6.1.6 Contact with authorities 

Control 

Appropriate contacts with relevant authorities shall be maintained. 

A.6.1.7 Contact with special interest groups 

Control 

Appropriate contacts with special interest groups or other specialist security forums 


and professional associations shall be maintained. 
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A.6.1.8 Independent review of information security 
Control 
The organization’s approach to managing information security and its 


implementation (i.e. control objectives, controls, policies, processes, and 








E) PAIE A 4 EK AB ZEIT HET | procedures for information security) shall be reviewed independently at planned 
Ahr HE intervals, or when significant changes to the security implementation occur. 

A.6.2 Spè HR A.6.2 External parties 
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by external parties. 
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A.6.2.1 Identification of risks related to external parties 

Control 

The risks to the organization’s information and information processing facilities from 
business processes involving external parties shall be identified and appropriate 
controls implemented before granting access. 

A. 6.2.2 Addressing security when dealing with customers 

Control 

All identified security requirements shall be addressed before giving customers 
access to the organization’s information or assets. 

A. 6.2.3 Addressing security in third party agreements 

Control 

Agreements with third parties involving accessing, processing, communicating or 
managing the organization’s information or information processing facilities, or 
adding products or services to information processing facilities shall cover all 


relevant security requirements. 
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A.7 Asset management 
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A.7.1 Responsibility for assets 


Objective: To achieve and maintain appropriate protection of organizational assets. 
























































































































































A.7.1.1 Poi A.7.1.1 Inventory of assets 

Pl EE Control 

PE HR ITA Ar, SES TIAN AEE | All assets shall be clearly identified and an inventory of all important assets drawn 

HE Py A up and maintained. 

A.7.1.2 AJ TE A.7.1.2 Ownership of assets 

Pe bl Fi Titi Control 

HA RATER M BE a Bil FE Pe HR EEL | All information and assets associated with information processing facilities shall be 
AAA KEE: ‘owned’ 3) by a designated part of the organization. 

A713 GR AE A.7.1.3 Acceptable use of assets 

Pe il tia He Control 

PAR BI es A AE A FE HE HE EE FE | Rules for the acceptable use of information and assets associated with information 

EHEM, TE MCE SE SETHE processing facilities shall be identified, documented, and implemented. 

DMR: RE “YH” TET At BVH | 3) Explanation: The term ‘owner’ identifies an individual or entity that has approved 

RNA, ALERE, FE | management responsibility for controlling the production, development, 

aE. (A ata tes, NE GWAE” DEAR | maintenance, use and security of the assets. The term ‘owner’ does not mean that 
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the person actually has property rights to the asset. 
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A.7.2 Information classification 


Objective: To ensure that information receives an appropriate level of protection. 
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A.7.2.1 Classification guidelines 

Control 

Information shall be classified in terms of its value, legal requirements, sensitivity 
and criticality to the organization. 

A.7.2.2 Information labeling and handling 

Control 

An appropriate set of procedures for information labeling and handling shall be 
developed and implemented in accordance with the classification scheme adopted 


by the organization. 
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A.8 Human resources security 



























































A.8.1 Prior to employment *) 
Objective: To ensure that employees, contractors and third party users understand 
their responsibilities, and are suitable for the roles they are considered for, and to 


reduce the risk of theft, fraud or misuse of facilities. 









































A.8.1 AZ Hi) 

PAR: WRAL. AAA RMB À 
SPAN TE, WAH fA, mo 
fe, VER Wert iR H Pré RUE ; 
A.8.1.1 HEMT 

Pe rill i 

MRA EIR, DE MT AIA 

















HAL; 
A.8.1.2 A BRIA 


ll fr i 








JERIA 
ELA DURE OT A A ARE R REIT À SUN 


tit 























= 








As 
H.» 





am j 


























BE; 

















WAV A ALS ER, Wa A 

















i] 
MRA 


A.8.1.3 EFDA AAA LE 
il dia Ht 
{ENGI -HBA RES SHARR 











AMS JEET ABATS 





ED re AR KAR 








F, TREE AR KARE DY LE 


AAA: 





AAA SON FE 


A.8.1.1 Roles and responsibilities 

Control 

Security roles and responsibilities of employees, contractors and third party users 
shall be defined and documented in accordance with the organization’s information 
security policy. 

A.8.1.2 Screening 

Control 

Background verification checks on all candidates for employment, contractors, and 
third party users shall be carried out in accordance with relevant laws, regulations 
and ethics, and proportional to the business requirements, the classification of the 
information to be accessed, and the perceived risks. 

A.8.1.3 Terms and conditions of employment 

Control 

As part of their contractual obligation, employees, contractors and third party users 
shall agree and sign the terms and conditions of their employment contract, which 


shall state their and the organization’s responsibilities for information security. 
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A.8.2 During employment 

Objective: To ensure that all employees, contractors and third party users are aware 
of information security threats and concerns, their responsibilities and liabilities, and 
are equipped to support organizational security policy in the course of their normal 


work, and to reduce the risk of human error. 








A.8.2.1 Management responsibilities 

Control 

Management shall require employees, contractors and third party users to apply 
security in accordance with established policies and procedures of the organization. 
A.8.2.2 Information security awareness, education and training 


Control 
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All employees of the organization and, where relevant, contractors and third party 
users shall receive appropriate awareness training and regular updates in 
organizational policies and procedures, as relevant for their job function. 

A.8.2.3 Disciplinary process 

Control 

There shall be a formal disciplinary process for employees who have committed a 


security breach. 





DERE: 


4) Explanation: The word ‘employment’ is meant here to cover all of the following 
different situations: employment of people (temporary or longer lasting), 
appointment of job roles, changing of job roles, assignment of contracts, and the 


termination of any of these arrangements. 
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A.8.3 Termination or change of employment 
Objective: To ensure that employees, contractors and third party users exit an 


organization or change employment in an orderly manner. 
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A. 8.3.1 Termination responsibilities 

Control 

Responsibilities for performing employment termination or change of employment 
shall be clearly defined and assigned. 

A. 8.3.2 Return of assets 

Control 

All employees, contractors and third party users shall return all of the organization’s 
assets in their possession upon termination of their employment, contract or 
agreement. 

A. 8.3.3 Removal of access rights 

Control 

The access rights of all employees, contractors and third party users to information 
and information processing facilities shall be removed upon termination of their 


employment, contract or agreement, or adjusted upon change. 
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A.9 Physical and environmental security 
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A.9.1 Secure areas 
Objective: To prevent unauthorized physical access, damage and interference to 


the organization’s premises and information. 
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A.9.1.1 Physical security perimeter 

Control 

Security perimeters (barriers such as walls, card controlled entry gates or manned 
reception desks) shall be used to protect areas that contain information and 
information processing facilities. 

A. 9.1.2 Physical entry controls 

Control 

Secure areas shall be protected by appropriate entry controls to ensure that only 
authorized personnel are allowed access. 

A. 9.1.3 Securing offices, rooms and facilities 

Control 


Physical security for offices, rooms, and facilities shall be designed and applied 





© ISO/IEC 2005 — All rights reserved 









































21 ISO/IEC 27001:2005(E) 
WAZE; 
A.9.1.4 DIEA KARAER LE ak H A. 9.1.4 Protecting against external and environmental threats 
Phlp Titi Control 
DEBT ASE HEL GE. K, Hye. E | Physical protection against damage from fire, flood, earthquake, explosion, civil 








FR GLAS EBA KERA H KAE RAERD Tis 


A.9.1.5 EZEK ERLIE 





feild 





Er Hi 





IAE Ub AI SE FE 22 DE BR TEA ER 


A.9.1.6 





pa Dx ERAR EW DX ak, M 





HU bel AM Be EN EK 
Tr i 














NAA A R H 














BEBE A IRIS aS 


W, 
i] ; 











BE DY IDES, TA FT AE 
DY. BS PAT LEAR FSA AY 5 














fei A cb BEB Hit 


unrest, and other forms of natural or man-made disaster shall be designed and 
applied. 

A. 9.1.5 Working in secure areas 

Control 

Physical protection and guidelines for working in secure areas shall be designed 
and applied. 

A. 9.1.6 Public access, delivery and loading areas 

Control 

Access points such as delivery and loading areas and other points where 
unauthorized persons may enter the premises shall be controlled and, if possible, 


isolated from information processing facilities to avoid unauthorized access. 
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A.9.2 Equipment security 
Objective: To prevent loss, damage, theft or compromise of assets and interruption 


to the organization’s activities. 
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A.9.2.1 Equipment siting and protection 

Control 

Equipment shall be sited or protected to reduce the risks from environmental threats 
and hazards, and opportunities for unauthorized access. 

A. 9.2.2 Supporting utilities 

Control 

Equipment shall be protected from power failures and other disruptions caused by 
failures in supporting utilities. 

A. 9.2.3 Cabling security 

Control 

Power and telecommunications cabling carrying data or supporting information 
services shall be protected from interception or damage. 

A. 9.2.4 Equipment maintenance 

Control 

Equipment shall be correctly maintained to ensure its continued availability and 
integrity. 

A. 9.2.5 Security of equipment offpremises 

Control 

Security shall be applied to off-site equipment taking into account the different risks 
of working outside the organization’s premises. 

A. 9.2.6 Secure disposal or re-use of equipment 

Control 

All items of equipment containing storage media shall be checked to ensure that 
any sensitive data and licensed software has been removed or securely overwritten 
prior to disposal. 


A. 9.2.7 Removal of property 
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Control 
Equipment, information or software shall not be taken off-site without prior 


authorization. 
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A.10 Communications and operations management 
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A.10.1 Operational procedures and responsibilities 
Objective: To ensure the correct and secure operation of information processing 


facilities. 
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A.10.1.1 Documented operating procedures 

Control 

Operating procedures shall be documented, maintained, and made available to all 
users who need them. 

A. 10.1.2 Change management 

Control 

Changes to information processing facilities and systems shall be controlled. 

A. 10.1.3 Segregation of duties 

Control 

Duties and areas of responsibility shall be segregated to reduce opportunities for 
unauthorized or unintentional modification or misuse of the organization’s assets. 
A. 10.1.4 Separation of development, test and operational facilities 

Control 

Development, test and operational facilities shall be separated to reduce the risks of 
unauthorized access or changes to the 


operational system. 
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A.10.2 Third party service delivery management 
Objective: To implement and maintain the appropriate level of information security 


and service delivery in line with third party service delivery agreements. 
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A.10.2.1 Service delivery 

Control 

It shall be ensured that the security controls, service definitions and delivery levels 
included in the third party service delivery agreement are implemented, operated, 
and maintained by the third party. 

A. 10.2.2 Monitoring and review of third party services 

Control 

The services, reports and records provided by the third party shall be regularly 
monitored and reviewed, and audits shall be carried out regularly. 

A. 10.2.3 Managing changes to third party services 

Control 

Changes to the provision of services, including maintaining and 

Improving, existing information security policies, procedures and controls, shall be 
managed, taking account of the criticality of business systems and processes 


involved and re-assessment of risks. 
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A.10.3 System planning and acceptance 


Objective: To minimize the risk of systems failures. 
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A. 10.3.1 Capacity management 

Control 

The use of resources shall be monitored, tuned, and projections made of future 
capacity requirements to ensure the required system performance. 

A. 10.3.2 System acceptance 

Control 

Acceptance criteria for new information systems, upgrades, and new versions shall 
be established and suitable tests of the system(s) carried out during development 


and prior to acceptance. 
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A.10.4 Protection against malicious and mobile code 


Objective: To protect the integrity of software and information. 
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A.10.4.1 Controls against malicious code 

Control 

Detection, prevention, and recovery controls to protect against malicious code and 
appropriate user awareness procedures shall be implemented. 

A.10.4.2 Controls against mobile code 

Control 

Where the use of mobile code is authorized, the configuration shall ensure that the 
authorized mobile code operates according to a clearly defined security policy, and 


unauthorized mobile code shall be prevented from executing. 
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A.10.5 Back-up 
Objective: To maintain the integrity and availability of information and information 


processing facilities. 

















A.10.5.1 fa Met 
es rill Sa Tit 
He He: LE SCA 8 RUE OE KE, JEE 
A isk; 
































A.10.5.1 Information back-up 
Control 
Back-up copies of information and software shall be taken and tested regularly in 


accordance with the agreed backup policy. 
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A.10.6 Network security management 
Objective: To ensure the protection of information in networks and the protection of 


the supporting infrastructure. 
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A.10.6.1 Network controls 

Control 

Networks shall be adequately managed and controlled, in order to be protected 
from threats, and to maintain security for the systems and applications using the 
network, including information in transit. 

A.10.6.2 Security of network services 

Control 

Security features, service levels, and management requirements of all network 
services shall be identified and included in any network services agreement, 


whether these services are provided in-house or outsourced. 
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A.10.7 Media handling 
Objective: To prevent unauthorized disclosure, modification, removal or destruction 


of assets, and interruption to business activities. 
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A.10.7.1 Management of removable media 
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Pas ie i Control 
MEENE EEEF: There shall be procedures in place for the management of removable media. 
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A. 10.7.2 Disposal of media 
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A. 10.9.2 On-line transactions 

Control 

Information involved in on-line transactions shall be protected to prevent incomplete 
transmission, mis-routing, unauthorized message alteration, unauthorized 
disclosure, unauthorized message duplication or replay. 

A. 10.9.3 Publicly available Information 

Control 

The integrity of information being made available on a publicly available system 


shall be protected to prevent unauthorized modification. 
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A.10.10 Monitoring 


Objective: To detect unauthorized information processing activities. 
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A. 10.10.1 Audit logging 

Control 

Audit logs recording user activities, exceptions, and information security events 
shall be produced and kept for an agreed period to assist in future investigations 
and access control monitoring. 

A. 10.10.2 Monitoring system use 

Control 

Procedures for monitoring use of information processing facilities shall be 
established and the results of the monitoring activities reviewed regularly. 

A. 10.10.3 Protection of log information 

Control 

Logging facilities and log information shall be protected against 

tampering and unauthorized access. 

A. 10.10.4 Administrator and operator logs 

Control 

System administrator and system operator activities shall be logged. 

A. 10.10.5 Fault logging 

Control 

Faults shall be logged, analyzed, and appropriate action taken. 

A. 10.10.6 Clock synchronization 

Control 

The clocks of all relevant information processing systems within an organization or 


security domain shall be synchronized with an agreed accurate time source. 
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A.11 Access control 
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A.11.1 Business requirement for access control 


Objective: To control access to information. 
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A.11.1.1 Access control policy 
Control 


An access control policy shall be established, documented, and reviewed based on 














Ae BEAT E HEME TT VEE ; business and security requirements for access. 
A.112 HP ee A.11.2 User access management 
Pe br: MR Pi AMEN | Objective: To ensure authorized user access and to prevent unauthorized access to 
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information systems. 
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A.11.2.1 ALP YEN A.11.2.1 User registration 
PEt Tit Control 
NE IE SCAN HE HB A A: HB, MIY | There shall be a formal user registration and de-registration procedure in place for 
FUG FI TE REARS A H; granting and revoking access to all information systems and services. 
A.11.22 PRBS BE A.11.2.2 Privilege management 

PEt Titi Control 

PR LA Pas HRA AY BI EH : The allocation and use of privileges shall be restricted and controlled. 
A.11.23 HP OSRH A.11.2.3 User password management 

PEt Tit Control 

MORL IE RE EE ll O S HA; The allocation of passwords shall be controlled through a formal management 

process. 

A.11.2.4 AP Us UR AT A.11.2.4 Review of user access rights 

Pas ie i Control 

BE SE HAT ER AE HF Hi i): | Management shall review users’ access rights at regular intervals using a formal 
BUR; process. 

A.11.3 H FE A.11.3 User responsibilities 

Pehl br: Di RNA An, HB | Objective: To prevent unauthorized user access, and compromise or theft of 
it i a RATE AE : information and information processing facilities. 

A.11.3.1 HAH A. 11.3.1 Password use 

Fmt Tit Control 

PR PE RER EA GIN, EVA AY | Users shall be required to follow good security practices in the selection and use of 
LA PI; passwords. 

A.11.3.2 MEF KHE Ke A.11.3.2 Unattended user equipment 

ee lle Te Control 

Pa A4 LC AE EE BSE SE ~4 | Users shall ensure that unattended equipment has appropriate protection. 

HIRD”; 

A.11.3.4 JURIED Xe E R R A.11.3.3 Clear desk and clear screen policy 

eS lle DE Control 

RY FA RE RK A PE BY, AHF | A clear desk policy for papers and removable storage media and a clear screen 
BRIE AAD BE Be À BEE EMM ; policy for information processing facilities shall be adopted. 
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A.11.4 Network access control 
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PSE EL A: ESR ARPS ALIN D7 [al PI ZR ARS; Objective: To prevent unauthorized access to networked services. 
A.11.4.1 PIS ARS AE FA IE SR A. 11.4.1 Policy on use of network services 


Control 

Users shall only be provided with access to the services that they have been 
specifically authorized to use. 

À. 11.4.2 User authentication for external connections 

Control 

Appropriate authentication methods shall be used to control access by remote 
users. 

A. 11.4.3 Equipment identification in networks 

Control 


Automatic equipment identification shall be considered as a means to authenticate 
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connections from specific locations and equipment. 

A. 11.4.4 Remote diagnostic and configuration port protection 

Control 

Physical and logical access to diagnostic and configuration ports shall be controlled. 
A. 11.4.5 Segregation in networks 

Control 

Groups of information services, users, and information systems shall be segregated 
on networks. 

A. 11.4.6 Network connection control 

Control 

For shared networks, especially those extending across the organization’s 
boundaries, the capability of users to connect to the network shall be restricted, in 
line with the access control policy and requirements of the business applications 
(see 11.1). 

A. 11.4.7 Network routing control 

Control 

Routing controls shall be implemented for networks to ensure that computer 
connections and information flows do not breach the access control policy of the 


business applications. 
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A.11.5 Operating system access control 


Objective: To prevent unauthorized access to operating systems. 
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A.11.5.1 Secure log-on procedures 

Control 

Access to operating systems shall be controlled by a secure log-on procedure. 

A. 11.5.2 User identification and authentication 

Control 

All users shall have a unique identifier (user ID) for their personal use only, and a 
suitable authentication technique shall be chosen to substantiate the claimed 
identity of a user. 

A. 11.5.3 Password management System 

Control 

Systems for managing passwords shall be interactive and shall ensure quality 
passwords. 

A. 11.5.4 Use of system utilities 

Control 

The use of utility programs that might be capable of overriding system and 
application controls shall be restricted and tightly controlled. 

A. 11.5.5 Session time-out 

Control 

Inactive sessions shall shut down after a defined period of inactivity. 

A. 11.5.6 Limitation of connection time 

Control 

Restrictions on connection times shall be used to provide additional security for 


high-risk applications. 
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HELA A 
A.11.6 MARZÆAME BW eH A.11.6 Application and information access control 
Pil be: Di ARR AE AREA | Objective: To prevent unauthorized access to information held in application 
a; systems. 
A.11.6.1 (F JA Ur Tl PR il A.11.6.1 Information access restriction 
Pe il tia He Control 
FAP ASCE A BON FE YA SEA Dy BE | Access to information and application system functions by users and support 
HO DT E APR RE W P PS ET LA BR: personnel shall be restricted in accordance with the defined access control policy. 
A.11.62 HR AMIE A.11.6.2 Sensitive system isolation 
Pe il tia He Control 











UR R AAEH BS TEE; 


Sensitive systems shall have a dedicated (isolated) computing environment. 
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A.11.7 Mobile computing and teleworking 
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ZAHER: AME a EME LEE | Objective: To ensure information security when using mobile computing and 
HR ZA teleworking facilities. 

A.11.7.1 Batt ATEN A.11.7.1 Mobile computing and communications 

ee alle DE Control 

NAT TE SRA BCE IF She EE, LATTE | A formal policy shall be in place, and appropriate security measures shall be 
ESS EA SE IE HI RU ; adopted to protect against the risks of using mobile computing and communication 


facilities. 

A.11.7.2 Teleworking 

Control 

A policy, operational plans and procedures shall be developed and implemented for 


teleworking activities. 
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A.12 Information systems acquisition, development and maintenance 


A.12.1 Security requirements of information systems 































































































EE AR: MEZARI BAZIN A AM | Objective: To ensure that security is an integral part of information systems. 

a} 

A.12.1.1 ABER A} HT RYE A.12.1.1 Security requirements analysis and specification 

ee allt DE Control 

PM MARA A a ASA ETAL | Statements of business requirements for new information systems, or 

Be BER HV RL E Zee a Hl A BE enhancements to existing information systems shall specify the requirements for 
security controls. 

A.12.2 FA REAP PAY IE Ab A.12.2 Correct processing in applications 

SE Abs: DED REE ME AR. À, | Objective: To prevent errors, loss, unauthorized modification or misuse of 

ERR; information in applications 

A.12.2.1 F5 A BEE A.12.2.1 Input data validation 

fe Hl D Control 

VED eA iH, DE IE Hi | Data input to applications shall be validated to ensure that this data is correct and 

TUE appropriate. 

A.12.2.2 ARABS I A.12.2.2 Control of internal processing 

PTE) Control 

WiEAW À PH RAI #4), WORE | Validation checks shall be incorporated into applications to detect any corruption of 

HDIF P HJER; information through processing errors or deliberate acts. 

A.12.2.3 JH ASCHEPE A.12.2.3 Message integrity 























© ISO/IEC 2005 — All rights reserved 





29 


ISO/IEC 27001:2005(E) 





Ps ll Se NE 


Ra 











¥ 


as ll Sey NE 











AIR I DY A 26 “Ph 
ENTER, SURI ANS HE FE 
A.12.2.4 4i HH aH UE 


DANSE h 2c 

















SAR EE LEW 


G, JF SY SEE 


PSSA ARIE LIE 
AE 





His UMRETI 


Control 

Requirements for ensuring authenticity and protecting message integrity in 
applications shall be identified, and appropriate controls identified and implemented. 
A.12.2.4 Output data validation 

Control 

Data output from an application shall be validated to ensure that the processing of 


stored information is correct and appropriate to the circumstances. 
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A.12.3 Cryptographic controls 
Objective: To protect the confidentiality, authenticity or integrity of information by 


cryptographic means. 
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A.12.3.1 Policy on the use of cryptographic controls 

Control 

A policy on the use of cryptographic controls for protection of information shall be 
developed and implemented. 

A.12.3.2 Key management 

Control 

Key management shall be in place to support the organization’s use of 


cryptographic techniques. 
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A.12.4 Security of system files 


Objective: To ensure the security of system files. 
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A.12.4.1 Control of operational software 

Control 

There shall be procedures in place to control the installation of software on 
operational systems. 

A.12.4.2 Protection of system test data 

Control 

Test data shall be selected carefully, and protected and controlled. 

A.12.4.3 Access control to program source code 

Control 


Access to program source code shall be restricted. 
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A.12.5 Security in development and support processes 


Objective: To maintain the security of application system software and information. 
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A.12.5.1 Change control procedures 

Control 

The implementation of changes shall be controlled by the use of formal change 
control procedures. 

A.12.5.2 Technical review of applications after operating system changes 

Control 

When operating systems are changed, business critical applications shall be 
reviewed and tested to ensure there is no adverse impact on organizational 
operations or security. 

A.12.5.3 Restrictions on changes to software packages 


Control 
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AN GS eT RAE AB, BEA BE | Modifications to software packages shall be discouraged, limited to necessary 
AE changes, and all changes shall be strictly controlled. 
A.12.5.4 (FA AEE A.12.5.4 Information leakage 
Pe bil Fi Tit Control 
Brie Bates MBL ; Opportunities for information leakage shall be prevented. 
A.12.5.5 REF IPL E A.12.5.5 Outsourced software Development 
Pe bil Fi Tit Control 
PHRASE Zs Outsourced software development shall be supervised and monitored by the 
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A.12.6 Technical Vulnerability Management 
Objective: To reduce risks resulting from exploitation of published technical 


vulnerabilities. 
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A.12.6.1 Control of technical Vulnerabilities 

Control 

Timely information about technical vulnerabilities of information systems being used 
shall be obtained, the organization's exposure to such vulnerabilities evaluated, and 


appropriate measures taken to address the associated risk. 
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A.13 Information security incident management 



































































































































A.13.1 WEZEN A A.13.1 Reporting information security events and weaknesses 
HAE: MESE ASK SE | Objective: To ensure information security events and weaknesses associated with 
FINS AAI, JEAN SEE ZY IEEE: information systems are communicated in a manner allowing timely corrective 
action to be taken. 
A.13.1.1 EAZA RFR E A.13.1.1 Reporting information security events 
es allt yt Control 
De Ae ET ME ae ae 4 = FSR a ff SA 2 4 SF | Information security events shall be reported through appropriate management 
HE channels as quickly as possible. 
A.13.1.2 Ra RBA A.13.1.2 Reporting security weaknesses 
ee allt DE Control 
RACE BAAR Te a. AE | All employees, contractors and third party users of information systems and 
KRRABA=T A eS FUR HE St FR | services shall be required to note and report any observed or suspected security 
OS le aJ AERIS ; weaknesses in systems or services. 
A.13.2 FAZER SAGs A.13.2 Management of information security incidents and 
FBI tx: PURES, ASIN TTL BLA A | improvements 
DRE HE, Objective: To ensure a consistent and effective approach is applied to the 








management of information security incidents. 
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A.13.2.1 Responsibilities and procedures 

Control 

Management responsibilities and procedures shall be established to ensure a quick, 
effective, and orderly response to information security incidents. 

A.13.2.2 Learning from information security incidents 

Control 

There shall be mechanisms in place to enable the types, volumes, and costs of 
information security incidents to be quantified and monitored. 


A.13.2.3 Collection of evidence 
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Pe ill Fe DE Control 
AURAS, E ER EE A BH ZE IY | Where a follow-up action against a person or organization after an information 
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security incident involves legal action (either civil or criminal), evidence shall be 
collected, retained, and presented to conform to the rules for evidence laid down in 


the relevant jurisdiction(s). 
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A.14 Business continuity management 
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A.14.1 Information security aspects of business continuity 
management 

Objective: To counteract interruptions to business activities and to protect critical 
business processes from the effects of major failures of information systems or 


disasters and to ensure their timely resumption. 





A.14.1.1 A ÈS AAA E SE PE 








fee ET BE 


PE hlte HE 




















MEE A R A FRA SE NL HEE BE E E 
EFE, ALFERRA AL ER PER) 











H 





fa AR AEBR 


A.14.1.2 MUA EBLE Re UB PE Ar 








Hild 

















DA RE BOL LFE 





FRERET REPE |! 


EAR 












































HEIHE, Be 
BT ET S ALP ACL) 
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A.14.1.1 Including information security in the business continuity management 
process 

Control 

A managed process shall be developed and maintained for business continuity 
throughout the organization that addresses the information security requirements 
needed for the organization’s business continuity. 

A.14.1.2 Business continuity and risk assessment 

Control 

Events that can cause interruptions to business processes shall be identified, along 
with the probability and impact of such interruptions and their consequences for 
information security. 

A.14.1.3 Developing and implementing continuity plans including information 
security 

Control 

Plans shall be developed and implemented to maintain or restore operations and 
ensure availability of information at the required level and in the required time scales 
following interruption to, or failure of, critical business processes. 

A.14.1.4 Business continuity planning framework 

Control 

A single framework of business continuity plans shall be maintained to ensure all 
plans are consistent, to consistently address information security requirements, and 
to identify priorities for testing and maintenance. 

A.14.1.5 Testing, maintaining and reassessing Business continuity plans 


Control 








FPE Business continuity plans shall be tested and updated regularly to ensure that they 
PTE DE are up to date and effective. 
NE HAE NI EBT a, Di 
PRE Br RATE: 
A. 15 HE A.15 Compliance 
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A.15.1 Compliance with legal requirements 
Objective: To avoid breaches of any law, statutory, regulatory or contractual 
obligations, and of any security requirements. 


A.15.1.1 Identification of applicable legislation 
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Control 

All relevant statutory, regulatory and contractual requirements and the 
organization’s approach to meet these requirements shall be explicitly defined, 
documented, and kept up to date for each information system and the organization. 
A.15.1.2 Intellectual property rights (IPR) 

Control 

Appropriate procedures shall be implemented to ensure compliance with legislative, 
regulatory, and contractual requirements on the use of material in respect of which 
there may be intellectual property rights and on the use of proprietary software 
products. 

A.15.1.3 Protection of organizational records 

Control 

Important records shall be protected from loss, destruction and falsification, in 
accordance with statutory, regulatory, contractual, and business requirements. 
A.15.1.4 Data protection and privacy of personal information 

Control 

Data protection and privacy shall be ensured as required in relevant legislation, 
regulations, and, if applicable, contractual clauses. 

A.15.1.5 Prevention of misuse of information processing facilities 

Control 

Users shall be deterred from using information processing facilities for unauthorized 
purposes. 

A.15.1.6 Regulation of cryptographic controls 

Control 

Cryptographic controls shall be used in compliance with all relevant agreements, 


laws, and regulations. 
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A.15.2 Compliance with security policies and standards, and 
technical compliance 
Objective: To ensure compliance of systems with organizational security policies 


and standards. 
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A.15.2.1 Compliance with security policies and standards 

Control 

Managers shall ensure that all security procedures within their area of responsibility 
are carried out correctly to achieve compliance with security policies and standards. 
A.15.2.2 Technical compliance checking 

Control 

Information systems shall be regularly checked for compliance with security 


implementation standards. 
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A.15.3 Information systems audit considerations 
Objective: To maximize the effectiveness of and to minimize interference to/from the 


information systems audit process. 
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A.15.3.1 Information systems audit controls 
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Control 

Audit requirements and activities involving checks on operational systems shall be 
carefully planned and agreed to minimize the risk of disruptions to business 
processes. 

A.15.3.2 Protection of information systems audit tools 

Control 

Access to information systems audit tools shall be protected to prevent any possible 


misuse or compromise. 
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